Status

Content to be finalized. First draft

Overview

Struts is an Apache framework aimed at simplifying the creation of dynamic web applications in Java.

Struts is built on a MVC architecture, which means the application is arranged into 3 primary types of code. These are know as a Model, View and Controller. The Model defines the structure of your data being processed. The View defines everything that a end user can see. The controller take the model as submitted from the page, performs business logic on the data, then decides what view should be responsible for displaying the result.

I will not spend any more time talking about the architecture of struts. If you would like to have more information on that topic, I suggest going to the official website.

Security in the Model

Validation

The Struts Validation Framework is the primary method of validating a struts based application. Struts validation consists of a few elements to be setup. To properly use Struts validation your application should have the following...

A validator-rules.xml file in the WEB-INF folder.

A validator.xml in the WEB-INF folder.

All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.

Examples

Security in the View

Output Sanitation

Output sanitation is the process of ensuring that your output does not contain HTML or XML specific characters. So, for example a '<' becomes '&lt;'. This should be used as a secondary XSS prevention method. Primary method of prevention should be validation. Luckily some Struts tags include output sanitation by default. If you're tag is not here, then you should implement sanitation manually.

Sanitized tags

bean:Write (may be overwritten by setting filter to false)

html:Hidden

html:Messages (if the value is of type String)

html:Multibox

html:OptionsCollection (may be overwritten by setting filter to false)

html:Options (may be overwritten by setting filter to false)

html:Option (you must set filter to true)

html:Radio

html:TextArea

html:File

html:Hidden

html:Password

html:Text

Security in the Controller

Roles

In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box.